UMA permission endpoint, as defined in the Federated Authorization for User-Managed Access (UMA) 2.0 specification.

Use this endpoint to request permission tickets to the authorization server during the UMA grant flow.

ActionHTTP Method

You must compose the path to the token endpoint addressing the specific realm where the token will be issued. For example, https://openam.example.com:8443/openam/uma/realms/root/realms/subrealm1/permission_request.

The permission request endpoint does not support any parameters. To authenticate to the endpoint, send an Authorization: Bearer header with the PAT of the resource owner.

To request a ticket, send an HTTP POST call to the endpoint specifying the resource and the scope that the permission ticket applies to in body of the call as a JSON document that follows the UMA 2.0 specification. For example:

$ curl -X POST \
--header 'authorization: Bearer 057ad16f-7dba-4049-9f34-e609d230d43a' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data '[
        "resource_id" : "ef4d750e-3831-483b-b395-c6f059b5e15d0",
        "resource_scopes" : ["download"]
]' \
    "ticket": "eyJ0eXAiOiJ...XPeJi3E"

Both of the objects in the JSON body are required. To obtain the resource ID, query the "/uma/resource_set" endpoint.


The default lifetime for a permission ticket is 120 seconds. Alter it by going to Realms > Realm Name > Services > UMA Provider, and editing the Permission Ticket Lifetime (seconds) property.

For an example of requesting a permission ticket in the flow, see The UMA Grant Flow.

Read a different version of :